HAL Id: hal-01573310
https://hal.inria.fr/hal-01573310
Submitted on 9 Aug 2017
HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
Distributed under a Creative Commons Attribution| 4.0 International License
Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault
Michael Tunstall, Debdeep Mukhopadhyay, Subidh Ali
To cite this version:
Michael Tunstall, Debdeep Mukhopadhyay, Subidh Ali. Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault. 5th Workshop on Information Security Theory and Prac- tices (WISTP), Jun 2011, Heraklion, Crete, Greece. pp.224-233, �10.1007/978-3-642-21040-2_15�.
�hal-01573310�
Differential Fault Analysis of the Advanced Encryption Standard using a Single Fault
Michael Tunstall1, Debdeep Mukhopadhyay2, and Subidh Ali2
1 Department of Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road,
Bristol BS8 1UB, United Kingdom.
2 Computer Sc. and Engg, IIT Kharagpur, India.
{debdeep,subidh}@cse.iitkgp.ernet.in
Abstract. In this paper we present a differential fault attack that can be applied to the AES using a single fault. We demonstrate that when a single random byte fault is induced at the input of the eighth round, the AES key can be deduced using a two stage algorithm. The first step has a statistical expectation of reducing the possible key hypotheses to 232, and the second step to a mere 28.
Keywords: Differential Fault Analysis, Fault Attack, Advanced Encryption Standard.
1 Introduction
The Advanced Encryption Standard (AES) [10] has been a de-facto standard for symmetric key cryptography since October 2000. Smart cards and secure microprocessors, therefore, typically include implementations of AES to protect the confidentiality and the integrity of sensitive information. To satisfy the high throughput requirements of such applications, these implementations are typi- cally VLSI devices (crypto-accelerators) or highly optimized software routines (crypto-libraries).
Several applications of DFA to AES have been reported in the literature.
In [3], authors describe an analysis based on faults induced in one byte of the ninth round of AES that requires 250 faulty ciphertexts. An attack reported in [1] allows an attacker to recover the secret key with around 128 to 256 faulty ciphertexts. In [2], Dusart et al. show that using a fault which affects one byte anywhere between the eighth round MixColumn and ninth round MixColumn, an attacker would be able to derive the secret key using 40 faulty ciphertexts. The authors of [12] describe an attack on AES with single byte faults that requires two faulty outputs, where a fault is induced in the input of the eighth or ninth round, extended to one 32-bit fault in the ninth round in [8].
We can note that when the assumptions are on the value of a byte (either it being faulty or uncorrupted) the number of faulty pairs is quite small. However,
it is difficult to be able to affect a given value with any certainty. When numerous faulty ciphertexts are required this problem is amplified, since an attacker needs to find a method of determining which faulty ciphertexts correspond to the desired model. We can, therefore, state that the attacks that are most likely to be realizable require the least faulty ciphertexts and assumptions on the effect of the fault.
In [9] a fault attack against AES was proposed, which suggested that a secret key can be derived using a singlebytefault induction at the input of the eighth round. The attack exploited the inter-relations between the fault values in the state matrix after the ninth roundMixColumnoperation and reduced the number of possible keys to around 232. However it may be noted that this work, like the previous fault attacks on AES does not use the effect of the fault maximally in an information theoretic sense [7]. The work proposed in this paper improves the previous fault analysis on AES-128 and reduces the key space to its minimal possible set of hypotheses attainable using a single byte fault. In this paper, we describe the extended version of this attack, where an attacker could reduce the exhaustive search to 28.
Notation
In this paper, multiplications are considered to be polynomial multiplications over F28 modulo the irreducible polynomialx8+x4+x3+x+ 1. It should be clear from the context when a mathematical expression contains integer multi- plication.
Organization
The paper is organized as follows: In Section 2 we describe the background to this paper. In Section 3 we describe an attack based on one of the fault models given in Section 2. In Section 3 we extend this attack. In Section 4 we compare this paper to work described in the literature, and we conclude in Section 5.
2 Background
2.1 The Advanced Encryption Standard
The structure of the Advanced Encryption Standard (AES) , as used to per- form encryption, is illustrated in Algorithm 1. Note that we restrict ourselves to considering AES-128 and that the description above omits a permutation typically used to convert the plaintext P = (p1, p2, . . . , p16)(256) and key K = (k1, k2, . . . , k16)(256) into a 4×4 array of bytes, known as the state matrix. For example, the 128-bit plaintext input blockPwhich produces fault free (CT) and faulty ciphertexts (CT′) are arranged in the following fashion
Algorithm 1: The AES-128 encryption function.
Input: The 128-bit plaintext blockP and keyK.
Output: The 128-bit ciphertext blockC.
X←AddRoundKey(P, K) fori←1to10do
X←SubBytes(X) X←ShiftRows(X) if i6= 10then
X←MixColumns(X) end
K←KeySchedule(K) X←AddRoundKey(X, K) end
C←X returnC
P=
p1p5 p9 p13
p2p6 p10p14
p3p7 p11p15
p4p8 p12p16
CT=
x1 x5 x9 x13
x2 x6x10x14
x3 x7x11x15
x4 x8x12x16
CT′=
x′1 x′5 x′9 x′13 x′2 x′6x′10x′14 x′3 x′7x′11x′15 x′4 x′8x′12x′16
wherexi∈ {0, . . . ,255} ∀i∈ {1, . . . ,16}. We also define the key matrix for the subkeys used in the ninth and tenth round asK10={k1, . . . , k16}andK9={k1′, . . . , k′16}that are arranged in a state matrix as described above.
The encryption itself is conducted by the repeated use of a number of round func- tions:
– The SubBytes function is the only non-linear step of the block cipher. It is a bricklayer permutation consisting of an S-box applied to the bytes of the state.
Each byte of the state matrix is replaced by its multiplicative inverse, followed by an affine mapping. Thus the input bytexis related to the outputyof the S-Box by the relation, y = A x−1 +B, where A and B are constant matrices. In the remainder of this paper we will refer to the functionS as the SubBytes function andS−1 as the inverse of the SubBytes function.
– TheShiftRowsfunction is a byte-wise permutation of the state.
– TheKeySchedulefunction generates the next round key from the previous one.
The first round key is the input key with no changes, subsequent round keys are generated using the SubBytes function and XOR operations. This is shown in Algorithm 2 which shows how therth round key is computed from the (r−1)th round key. The valuehr is a constant defined for therth round, and<<is used to denote a bitwise left shift.
– TheMixColumnis a bricklayer permutation operating on the state column by col- umn. Each column of the state matrix is considered as a 4-dimensional vector where each element belongs toF(28). A 4×4 matrixM whose elements are also in F(28) is used to map this column into a new vector. This operation is applied on
all the 4 columns of the state matrix. HereM and its inverseM−1 are defined as:
M =
2 3 1 1 1 2 3 1 1 1 2 3 3 1 1 2
M−1=
14 11 13 9 9 14 11 13 13 9 14 11 11 13 9 14
All the elements inMandM−1are elements ofF(28) expressed as a decimal digit.
– AddRoundKey: Each byte of the array is XORed with a byte from a corresponding array of round subkeys.
Algorithm 2: The AES-128KeySchedulefunction.
Input: (r−1)thround key (X =xifori∈ {1, . . . ,16}).
Output:rth round keyX.
fori←0to3do
x(i<<2)+1←x(i<<2)+1⊕S(x(((i+1)∧3)<<2)+4) end
x1←x1⊕hr
fori←1to16do
if (i−1) mod 46= 0then xi←xi⊕xi−1
end end returnX
2.2 The Fault Model
The implementation of AES we target is an iterative one, i.e. where a round function is executed in a loop as described in Algorithm 1. An attacker can typically predict at what point in time certain events take place, e.g. when a particular round commences.
Moreover, the time certain events take can often be determined by analyzing a suitable side channel.
The fault model that we consider is the same as that used in many other papers, for example [9], where we assume that the effect of an induced fault is to change one byte to a random value.
For example, an attacker could attempt to use a glitch in the clock to create a fault at the input of a particular round with a certain probability. An iterative design helps in this regard, as the attacker is able to control the timing of fault induction by simply counting the number of clock edges from the start of an encryption.
3 The Fault Analysis
3.1 The First Step of the Fault Attack
If a fault is induced in a byte of the state matrix, which is then input to the eighth round, theMixColumnoperation at the end of the round propagates this fault to the
entire column of the state. The ShiftRowoperation at the beginning of the following round will then shift these bytes to occupy different columns. The next MixColumn operation will then propagate the fault to the remaining twelve bytes.
This process is shown in Figure 1 where we show the diffusion of a byte fault induced at the input of the eighth round. The XOR difference of the state matrices of the two results, one fault free and the other faulty, is shown. This is what we use as basis for a differential fault analysis.
A1 A 2 A
3 A
4 A5 A
6 A
7 A
8 A9 A
10A 11A
12 A13A
14A 15A
16 A1 A
2 A
3 A 4 A6 A
7 A 8 A
5 A10 A9 A11A
12 A13A
14A A 15
16
F1
F 4
F 2 F 3 Round
Shift Row Eighth
F 3
F 3 F 1 2F1
F 1 3
F 4 F 4 F 1 3F 4 F4
2 F2
F 3 2
3 2F F 3 3 2F2
F2 F 1
F 4 F 3 F2 2f’
f’
f’
3f’
Round Mix Column Eighth Round
Byte Sub f’
f
Eighth
Ninth Round Byte Sub
Tenth Round Byte Sub
Tenth Round Shift Row Ninth Round Mix Column
Ninth Round Shift Row f’
Fig. 1: Propagation of Fault Induced in the input of eighth round of AES.
If, given a fault in the input to the eighth round, we consider the state of the differences after the ninth round shift row, we can obtain the following set of equations that include the values of the key bytesk1,k8,k11 andk14, thus giving an expression for 32 bits ofK10.
2δ1=S−1(x1⊕k1)⊕S−1(x′1⊕k1) δ1=S−1(x14⊕k14)⊕S−1(x′14⊕k14) δ1=S−1(x11⊕k11)⊕S−1(x′11⊕k11) 3δ1=S−1(x8⊕k8)⊕S−1(x′8⊕k8)
,
Whereδ1,k1,k8,k11andk14 are all unknown values∈ {0, . . . ,255}.
The above system of equations can be used to reduce the possibilities for these 32 bits of the key. An attacker would select a value forδ1 and determine which values of k1,k8,k11 and k14 satisfy the equations using four independent exhaustive searches.
Each equation will return 0, 2, or 4 hypotheses [11]. If any of the four equations cannot be satisfied, i.e. there is an impossible differential [6], then any hypotheses for that value ofδ1 can be discarded.
As noted in [4, 8] one can apply the same technique to recover information on the remaining bytes of the last sub key. That is, information on the remaining key bytes can be derived by using the following sets of equations: In order to obtain information
onk2,k5,k12 andk15an attacker can use
3δ2=S−1(x5⊕k5)⊕S−1(x′5⊕k5) 2δ2=S−1(x2⊕k2)⊕S−1(x′2⊕k2)
δ2=S−1(x15⊕k15)⊕S−1(x′15⊕k15) δ2=S−1(x12⊕k12)⊕S−1(x′12⊕k12) .
In order to obtain information onk3,k6,k9 andk16 an attacker can use the following equations:
δ3 =S−1(x9⊕k9)⊕S−1(x′9⊕k9) 3δ3 =S−1(x6⊕k6)⊕S−1(x′6⊕k6) 2δ3 =S−1(x3⊕k3)⊕S−1(x′3⊕k3)
δ3 =S−1(x16⊕k16)⊕S−1(x′16⊕k16)
Finally, in order to obtain information onk4,k7,k10 andk13 an attacker can use the following equations:
δ4 =S−1(x13⊕k13)⊕S−1(x′13⊕k13) δ4 =S−1(x10⊕k10)⊕S−1(x′10⊕k10) 3δ4 =S−1(x7⊕k7)⊕S−1(x′7⊕k7) 2δ4 =S−1(x4⊕k4)⊕S−1(x′4⊕k4)
It can be noted that the equations have an identical structure, and, therefore, the solutions are of similar nature. An evaluation of each set of equations will be expected to return 28 unique hypotheses for the key bytes concerned. Therefore, an attacker would expect to have 232key hypotheses for the secret key used.
3.2 Analysis of the first step of the fault attack
The first step of the fault attack uses four sets of equations to reduce the key space of AES. In this section we determine the expected number of key hypotheses that an attacker will have at each stage of an attack.
In order to analyze the number of valid hypotheses in the first stage of the attack we consider the first set of equations given in Section 3.1. In this set of equations δ1 is∈ {1, . . . ,255}. Ifδ1 is equal to zero then one could say that the expected fault has not been injected. If δ1 is zero it would imply thatx1 is equal tox′1 and all 256 key hypotheses are possible. Let us first consider the first equation in this set:
2δ1=S−1(x1⊕k1)⊕S−1(x′1⊕k1)
We know the values ofx1 andx′1 from the correct and faulty ciphertexts respectively.
For a given value of 2δ1there will 0, 2 or 4 valid key hypotheses. The mean hypotheses for allδ1∈ {1, . . . ,255}is approximately one, and, therefore, 256 key hypotheses when allδ1 ∈ {1, . . . ,255}are considered.
The same can be said for each of the four equations in the set given above. How- ever, for a given value ofδ1 each of the four equations would be expected to return approximately one hypothesis for a key byte. These values will give one hypothesis for the quartet of key bytes{k1, k8, k11, k14}. Given that an attacker will have to take into account all the values in {0, . . . ,255} there will be 256 possible values for the quartet{k1, k8, k11, k14}. After an attacker has analyzed the four equations defined in Section 3.1 there would be an expected 232key hypotheses.
3.3 The Second Step of the Fault Attack
In order to further reduce the key hypotheses we use the relationship between the ninth round key and the tenth round key.
We consider the key-scheduling algorithm (see Algorithm 2), the ninth round key, K9, generates the tenth round key,K10. The key schedule is invertible andK9can be expressed in terms of elements ofK10. The value ofK9 can be expressed as
k1⊕S(k14⊕k10)⊕h10k5⊕k1 k9⊕k5 k13⊕k9
k2⊕S(k15⊕k11) k6⊕k2 k10⊕k6k14⊕k10 k3⊕S(k16⊕k12) k7⊕k3 k11⊕k7k15⊕k11
k4⊕S(k13⊕k9) k8⊕k4 k12⊕k8k16⊕k12
.
We can observe that the fault values in the first column of the state matrix at the output of the eighth roundMixColumnis (2f′, f′, f′,3f′), wheref′ is a non-zero arbitrary value in F28. Using the InverseMixColumn operation and using the inter- relations between the fault values, we can define the following equation:
2f′=S−1
(
14(
S−1(x1⊕k1)⊕((k1⊕S(k14⊕k10)⊕h10)))
⊕11(
S−1(x8⊕k8)⊕(k2⊕S(k15⊕k11))
)
⊕13(
S−1(x11⊕k11)⊕(k3⊕S(k16⊕k12)))
⊕ 9(
S−1(x8⊕k8)⊕(k4⊕S(k13⊕k9))) )
⊕S−1(
14(
S−1(x′1⊕k1)⊕((k1⊕S(k8⊕k10)⊕h10))
)
⊕11(
S−1(x′8⊕k8)⊕(k2⊕S(k15⊕k11))
⊕13
(
S−1(x′11⊕k11)⊕(k3⊕S(k16⊕k12)))
⊕9(
S−1(x′8⊕k8)⊕(k4⊕S(k13⊕k9))
) )
Similarly, we can define the following equations:
f′=S−1
(
9(
S−1(x13⊕k13)⊕(k13⊕k9))
⊕14(
S−1(x10⊕k10)⊕(k10⊕k14)))
⊕11
(
S−1(x7⊕k7) ⊕(k15⊕k11))
⊕13(
S−1(x4⊕k4)⊕(k16⊕k12)) )
⊕S−1
(
9(
S−1(x13′ ⊕k13)⊕(k13⊕k9))
⊕14(
S−1(x′10⊕k10)⊕(k10⊕k14)))
⊕ 11(
S−1(x′7⊕k7) ⊕(k15⊕k11))
⊕13(
S−1(x′4⊕k4)⊕(k16⊕k12)) )
f′=S−1
(
13(
S−1(x9⊕k9)⊕(k9⊕k5))
⊕9(
S−1(x6⊕k6)⊕(k10⊕k6)))
⊕14
(
S−1(x3⊕k3)⊕(k11⊕k7))
⊕11(
S−1(x16⊕k16)⊕(k12⊕k8)) )
⊕S−1
(
13(
S−1(x9′ ⊕k9)⊕(k9⊕k5))
⊕9(
S−1(x′6⊕k6)⊕(k10⊕k6)))
⊕14
(
S−1(x′3⊕k3) ⊕(k11⊕k7))
⊕11(
S−1(x′16⊕k16)⊕(k12⊕k8)) )
3f′=S−1
(
11(
S−1(x2⊕k2)⊕(k2⊕k1))
⊕13(
S−1(x5⊕k5)⊕(k6⊕k5)))
⊕9
(
S−1(x12⊕k12) ⊕(k10⊕k9))
⊕14(
S−1(x15⊕k15)⊕(k14⊕k13)) )
⊕S−1
(
11(
S−1(x2′ ⊕k2)⊕(k2⊕k1))
⊕13(
S−1(x′5⊕k5)⊕(k6⊕k5)))
⊕9
(
S−1(x′12⊕k12) ⊕(k10⊕k9))
⊕14(
S−1(x′15⊕k15)⊕(k14⊕k13)) )
The second stage of the attack is coupled with the first stage, and can be used to further reduce the number of key hypotheses.
3.4 Analysis of the second step of the fault attack
The expected number of hypotheses produced by the second step of the attack follows a similar reasoning to the analysis of the first step, given in Section 3.2.
If we consider the second equation defined in Section 3.3, it can be rewritten as f′=A⊕B ,
whereAandB are defined as
A=S−1
(
9(
S−1(x13⊕k13)⊕(k13⊕k9))
⊕14
(
S−1(x10⊕k10)⊕(k10⊕k14)))
⊕11(
S−1(x7⊕k7)⊕ (k15⊕k11))
⊕13(
S−1(x4⊕k4)⊕(k16⊕k12)) )
and
B=S−1
(
9(
S−1(x′13⊕k13)⊕(k13⊕k9))
⊕14
(
S−1(x′10⊕k10)⊕(k10⊕k14)))
⊕11(
S−1(x′7⊕k7)⊕ (k15⊕k11))
⊕13(
S−1(x′4⊕k4)⊕(k16⊕k12)) )
.
We can considerAandBto be random values inF28. For a given values off′ the difference between A and B will be equal to f′ with a probability of 218. Using the same reasoning, the probability of all four equations being valid is 218
4
=2132. We have to consider all the possible values of f′, i.e. {0, . . . ,255}. A given key hypothesis will, therefore, be valid for some arbitrary value off′with a probability of 28×2132 = 2124.The first step of the attack is expected to return 232hypotheses each of which still be under consideration at the end of the second step with a probability of
1
224.One would, therefore, expect the second step of the attack to produce 28 possible key hypotheses.
3.5 Attacking Other Bytes
In the previous sections we describe an attack where we base our Differential Fault Analysis on the knowledge that a fault has been induced in the first byte of the state matrix. However, we can note that the analysis returns a very small number of hy- potheses. We can, therefore, conduct 16 independent analyses under the assumption that a fault is induced each of the 16 bytes of of the state at the beginning of the eighth round. An attacker would expect this to produce 24×28= 212valid key hypotheses, which is still a trivial exhaustive search.
4 Comparison with Previous Work
There are several versions of fault-based differential cryptanalysis that are able to reduce the number of key hypotheses from two faults injected into an implementation of AES, as described in [5, 9, 12]. However, the analysis proposed in this paper is more effective, since the resulting exhaustive search can be reduced to a trivial size using one fault. The number of key hypotheses returned by previous work would be somewhat time consuming. The advantage of the proposed attack is that it does not need to reproduce a successful attack in order to able to determine a secret key. Acquiring multiple faulty ciphertexts can be problematic as faults are only successful with a certain probability, and the effect cannot always be predetermined. This would mean that an attacker could potentially have to search among numerous faulty ciphertexts to find a pair that both have the desired fault.
5 Conclusion
This paper proposes a fault-based differential cryptanalysis of AES, that is an extended version of the attack described in [9]. An attacker would expect to be able to reduce the number of key hypotheses from 2128 to 28 with one well placed fault. As noted in [8], these attacks can be conducted without any knowledge of the plaintext being enciphered, as an attacker would just need to know the plaintexts were the same.
There are many descriptions of a fault-based differential cryptanalysis of AES that could be prevented by repeating the last two or three rounds of an implementation of AES, to verify that no exploitable fault has been inserted [1–3, 12, 13]. However, to prevent the attack described in this paper the last four rounds would need to be repeated to check no fault was injected. Moreover, given how much information can be gleaned from one fault, one would expect there are attacks that require more faulty ciphertexts that would be able to make use of faults in earlier rounds. One would, therefore, suggest that in order to protect an implementation of AES the last five rounds should be protected against fault injection.
Acknowledgements
The work described in this paper has been supported in part by the European Commis- sion IST Programme under Contract ICT-2007-216676 ECRYPT II and EPSRC grant EP/F039638/1 “Investigation of Power Analysis Attacks”. The second author would like to acknowledge the support of Department of Science and Technology (DST) India under the Fast Track Proposals for Young Scientists for the proposal entitled ”Design and Analysis of Side Channel Attack Resistant Symmetric Key Cryptosystems”.‘
References
1. J. Bl¨omer and J.-P. Seifert. Fault based cryptanalysis of the advanced encryption standard (AES). In R. N. Wright, editor,Financial Cryptography — FC 2003, vol- ume 2742 ofLecture Notes in Computer Science, pages 162–181. Springer-Verlag, 2003.
2. P. Dusart, G. Letourneux, and O. Vivolo. Differential fault analysis on A.E.S.
In J. Zhou, M. Yung, and Y. Han, editors, Applied Cryptography and Network Security — ACNS 2003, volume 2846 ofLecture Notes in Computer Science, pages 293–306. Springer-Verlag, 2003.
3. C. Giraud. DFA on AES. In H. Dobbertin, V. Rijmen, and A. Sowa, editors, International Conference Advanced Encryption Standard — AES 2004, volume 3373 ofLecture Notes in Computer Science, pages 27–41. Springer-Verlag, 2004.
4. C. Giraud and A. Thillard. Piret and Quisquater’s DFA on AES revisited. Cryp- tology ePrint Archive, Report 2010/440, 2010. http://eprint.iacr.org/.
5. C. H. Kim and J.-J. Quisquater. New differential fault analysis on aes key schedule:
Two faults are enough. In G. Grimaud and F.-X. Standaert, editors,Smart Card Research and Advanced Applications — CARDIS 2008, volume 5189 of Lecture Notes in Computer Science, pages 48–60. Springer-Verlag, 2008.
6. L. Knudsen. Deal — a 128-bit block cipher. Technical report no. 151. Department of Informatics, University of Bergen, Norway, 1998.
7. Yang Li, Shigeto Gomisawa, Kazuo Sakiyama, and Kazuo Ohta. An information theoretic perspective on the differential fault analysis against aes. Cryptology ePrint Archive, Report 2010/032, 2010. http://eprint.iacr.org/.
8. A. Moradi, M. T. Manzuri Shalmani, and M. Salmasizadeh. A generalized method of differential fault attack against AES cryptosystem. In L. Goubin and M. Matsui, editors, Cryptographic Hardware and Embedded Systems — CHES 2006, volume 4249 ofLecture Notes in Computer Science, pages 91–100. Springer-Verlag, 2006.
9. D. Mukhopadhyay. An improved fault based attack of the advanced encryp- tion standard. In B. Preneel, editor,Progress in Cryptology — AFRICACRYPT 2009, volume 5580 ofLecture Notes in Computer Science, pages 421–434. Springer- Verlag, 2009.
10. National Institute of Standards and Technology (NIST). Advanced Encryption Standard (AES). FIPS Publication 197, available for download at http://www.
itl.nist.gov/fipspubs/, 2001.
11. K. Nyberg. Differentially uniform mappings for cryptography. In T. Helleseth, editor,Advances in Cryptology — EUROCRYPT ’93, volume 765 ofLecture Notes in Computer Science, pages 55–64. Springer-Verlag, 1993.
12. G. Piret and J.-J. Quisquater. A differential fault attack technique against SPN structure, with application to the AES and KHAZAD. In C. D. Walter, C¸ . K. Ko¸c, and C. Paar, editors, Cryptographic Hardware and Embedded Systems — CHES 2003, volume 2779 ofLecture Notes in Computer Science, pages 77–88. Springer- Verlag, 2003.
13. J. Takahashi, T. Fukunaga, and K. Yamakoshi. DFA mechanism on the AES schedule. In Fault Diagnosis and Tolerance in Cryptography 2007 — FDTC 07, pages 62–72, 2007.
